Cyber espionage attacks have been aware of for around 10 years. Security vendors keep inventing new technology to defend against attack. Many solutions look fancy, however breaches keep happening. People spent a lot of budget to improve their fences, but the effectiveness of these security products remains doubtful. In Taiwan, we have more than 10 years history with cyber espionage attacks. Government, enterprises, and security vendors were fighting hard with threat actors, but new victims still got compromised day by day.
In recent years, a lot of Japanese government agencies, defense industry, enterprises are suffering from cyber attacks from cyber espionage groups. We keep seeing breaches and incidents from news. We believe many victims still have no good strategy to defend and control the situation.
In this talk, cyber espionage attacks in the last decade would be discussed from Asia Pacific region’s point of view. We’ll discuss why security solutions didn’t work, how actors easily bypassed those fancy solutions and adopted countermeasures quickly with very low cost. Besides, according to our incident response’s experience for hundreds times and consulting to help victim for several years, we will try to propose a design of security model to prevent, detect, react, and remediate cyber espionage threats.
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - CODE BLUE 2015
1. Failures Of Security Industry In The Last Decade
Lessons Learned
From Hundreds of
Cyber Espionage Breaches
Sung-ting Tsai (TT), Chi-en Shen (Ashley)
Oct 29, 2015
2. Agenda
• Cyber Espionage Attacks In The Last decade
APT Review
Operation Eclipse
Attacks Against The Whole World
• Failures of Security Industry
Existing Solutions And How They Failed On APT Attacks
• Dealing with Cyber Espionage threats
You Will Be Pwned, Sooner Or Later
The Endless War
Defense In Depth
Case Study
• Conclusion
Suggestions to Targeted Organizations
Suggestions to Security Vendors
3. Sung-ting Tsai (TT)
CEO at Team T5 Inc.
• Frequent Black Hat conference speaker
• Vulnerability researcher and owner of several CVE ID
• 10+ years on security product development
• 8+ years experience on cyber threat research
• Organizer of HITCON (Hacks in Taiwan Security
Conference)
tt@teamt5.org
4. Chi-en Shen (Ashley)
Senior Threat Analyst at Team T5 Inc.
• Malicious document, malware analysis, APT research
• Tracking several cyber espionage groups for years
• Core member and speaker of HITCON GIRLS.
• HITCON speaker
ashley@teamt5.org
5. Team T5 Inc.
Found In
January 2013
Based In
Taipei
Website
https://www.teamt5.org
• Who We Are:
• Cyber threat intelligence, research, and service
provider.
• World-leading research on Asia Pacific cyber
espionage threats.
• What We Do:
• We monitor, analyze, and track cyber threats.
• Helping people to gain advantaged position facing
cyber threats.
• What We Provide:
• Threat research.
• Malware analysis service
• Incident response / Investigation
• Consulting service
6. • Team T5 tracks about 150+ malware families.
Malware Research
7. • Team T5 tracks about 60+ cyber espionage groups.
Campaign Tracking
9. APT Review
• APT has been popular in the security industry since around 2009
• Many solutions look fancy, however breaches keep happening.
• People spent a lot of budget to improve their fences, but the effectiveness of
these security products remains doubtful.
12. Japan Pension Service Breach
• At least 27 PCs were infected
Anti-virus software installed, but they didn't work.
• About 1.25 million pension service participants'
personal information leaked under this attack.
• Sending spear-phishing emails with attachment
(malware) to faculty staffs
The body of email claims the attachment includes a
medical receipt.
Regarding the Review of the Employee's Pension
Fund (Draft)
13. Petroleum Association of Japan
• More than 3 PCs were infected
• Related data of requests regarding the petroleum policy
to the government
• About 250 files are leaked
• Sending spear-phishing emails with attachment
(malware) to faculty staffs
The body of email claims the attachment includes a
medical receipt.
14. National Health Insurance Association
• More than 4 PCs were infected
• About 1500 files are leaked
• Sending spear-phishing emails with attachment
(malware) to faculty staffs
The body of email claims the attachment includes a
medical receipt.
17. It doesn’t take a long time
• It could be just a few hours from infection to intrusion and data
leakage.
• Our observation shows that 80% of victims leak data in 5 hrs
after being compromised.
Reconnaissance Initial Intrusion Control Strengthen Data Exfiltration
5 hrs
18. 10+ Years APT Attacks History of Taiwan
• Most of government agencies were either ever
compromised before or is still in adversary's control.
– i.e. Active Directory server was compromised.
• Related to ALL industries.
– ISP, military contractor, defense industry, political parties,
think tank organization, trade organization, university
professors, social network, e-commerce, employment
websites, online game.
• Get along with them peacefully?
– Clean all infection?
– Reinstall all endpoints?
33. APT Solutions?
• When people are talking about APT solutions, they might be thinking
about one of following technologies:
• Anti-virus
• Sandbox
• Next Generation Firewall / Intrusion prevention system
• SIEM (Security Information and Event Management)
• Application Control
• Exploit Mitigation
• Incident Response Service
37. Anti-Virus?
• It is easy to evade AV detection with very low cost.
Anti-Virus
38. Sandbox?
• Approaches to bypass sandbox
• Hardware and configurations
• CPU ID, quantity
• Device information
• Vmware backdoor I/O port
• Memory size
• Screen resolution
• VGA/Network Product
• System Environment
• Service
• System process
• Windows product serial number
• Installed software list
• Registry key
• Others
Hotfixs count
System up time
Mouse movement
Files count in temp folder
Desktop files count
Antivirus
39. • Anti-anti-sandbox?
• Patch Vmware string
• Patch start up time
• Patch processor
number
• Put more hotfix
• Change memory size
• ………
Host Name: ABC
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
System Manufacturer: VMware, Inc.
OS Build Type: Uniprocessor Free
Registered Owner: ABC
Original Install Date: 2/19/2014, 11:29:39 PM
System Boot Time: 8/18/2015, 3:13:02 PM
System Up Time: 0 Days, 0 Hours, 1 Minutes, 55 Seconds
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 2 Stepping 3 GenuineIntel ~2400 Mhz
System Manufacturer: QEMU
BIOS Version: Bochs Bochs, 1/1/2007
Total Physical Memory: 1,024 MB
Hotfix(s): 3 Hotfix(s) Installed.
[01]: KB2534111
[02]: KB958488
[03]: KB976902
Network Card(s): 1 NIC(s) Installed.
[01]: Realtek RTL8139C+ Fast Ethernet NIC
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 192.168.180.51
47. NGFW / IPS?
• Most of APT malware traffic are either encoded or encrypted,
and C2 IP changed rapidly.
source: www.passivetotal.org
48. SIEM?
• Even with the most powerful SIEM, no detection means no visibility.
• Logs are useless without efficient rules.
49. Application Control?
• Low adoption rate, refused by IT teams.
• Trade-off between convenience and security?
• Can still be bypassed (ie. DLL Sideloading)
• Non-PE backdoor, i.e. script trojan
50. Exploit Mitigation?
• Great solution to defend.
• However, adoption rate is quite low, even for free EMET.
• Stability and compatibility.
• Decreasing amount of exploit attack.
51. Incident Response Service?
• One time service is difficult to solve “persistent” problems.
• It is not easy to clean up all infections completely.
• Attack will come right after the IR service.
• Service cost is usually not affordable for victims.
• Root causes are not easy to find.
• Probably you can find all malware, but where is the vulnerability?
• How to prevent next attack?
52. No Solutions to Social Engineering..
• Spear-phishing emails
with insurance fee
theme in Operation
Eclipse.
53. No Solutions to Social Engineering..
• The email might be
sent from your co-
workers.
54. Failures of security industry
• Security vendors don’t understand Cyber Espionage threats.
• Cyber espionage is not easy to observe without experience.
• It is hard to understand without stand at the front line (IR).
• How do you defend without knowing what is coming?
55. Failures of security industry
• Actors are quicker than
security vendors
• Actors change rapidly
according to vendor’s
latest techniques and
solutions.
• Actors rebuild malware
and apply C2 domain
specifically for their
target.
56. Failures of security industry
• Actors are quicker than security vendors
• Vendors keep collecting OLD samples / C2s after the attack, and making
signatures to detect OLD samples / C2s.
• Malware updates are always faster than security products.
57. Failures of security industry
• Ignorance of vulnerability
• Vulnerability plays a very important role
• Solutions to 0day?
• Too much vulnerabilities information.
• I.e. CloudyOmega deployed flash 0day (CVE 2015-5119) right after the Hacking
Team leak. 10+ organizations were compromised in a week.
58. Is CE attack complicated?
• CE attack is this simple:
Actor
Spear-phishing Emails
Attachment file
http://im.malicious.link Malicious link
59. CE is not just technical things
• You are not facing a malware or an attack technique.
• However, most of security vendors only care how to block an attack from
technical perspective.
• CE is your adversary, they are human.
• They adapt and change rapidly.
• Security vendors only react to attack techniques.
• Security vendors only provide software and machine.
• You need to learn their Tactics, Techniques, and Procedures (TTP).
61. You Need to know...
• You will be pwned, sooner or later.
• If one single attack in a million times succeeded, you are compromised.
• So, just get ready for it. Be prepared.
• It is not all about defense, it also matters how fast you can mitigate the
incident.
62. You Need to know...
• Cyber Espionage is the
endless war
• Your adversary won’t stop.
• Be prepared for the war.
• “Know yourself and know
your enemy, and you will
never be defeated.” - Sunzi's
Art of War
63. You Need to know...
• Invest on people, not only software or hardware
• Your enemies are human. They are well-trained hackers. You cannot rely on
computer programs only.
• You need good security strategy to defend. Only people can make strategy.
• Build your CSIRT - have a dedicated security team.
• Don’t forget human weakness and social engineering .
64. Defense In Depth
• Security Guard
(SoC/MSS Team)
• 24x7 monitor,
stop bad guys
• SWAT
• Emergency Response
(CSIRT Team)
• Dispatch to warzone,
clean & repair threats
• Fitness Doctor
(CISO/Manager)
• Plan & exercise,
defense strategy
• Private Detective
(Threat Analyst)
• Investigate & track
know Adversary TTP
研析
Research
預防
Prevent
檢知
Detect
反應
Respond
65. Case Study – A Taiwan Think Tank
• 500 researchers and assistants
• Doing policy research for 10+ government departments
• Targeted by 5+ different Cyber Espionage groups
• Active Directory server under 2 groups’ control
• Antivirus Update server 0day to install malware
2014-10 Team T5 Incident Respond
2014-11 T5 Suggested Defense Solution
2014-12 T5 Daily monitoring begin
2015-02 ~ No more CE incidents
69. • When bad things happened, we act as fast as possible to…
• Collect samples
• Analyze samples
• Generate indicators
• Detect with indicators
• Feedback to analyze (important)
• CE mitigation is a long-term task.
Mitigation cycle
Collect
Samples
Analyze
Sample
Generate
Indicators
/ Yara
Detect
with
Indicators
Feedback
71. Research Stage
• Security Guard
(SoC/MSS Team)
• 24x7 monitor,
stop bad guys
• Emergency Response
(CSIRT Team)
• Dispatch to warzone,
clean & repair threats
• Fitness Doctor
(CISO/Manager)
• Plan & exercise,
defense strategy
• Private Detective
(Threat Analyst)
• Investigate & track
know Adversary TTP
研析
Research
預防
Prevent
檢知
Detect
反應
Respond
72. Research Stage
• More surveillance cameras, more screen playbacks.
• Collect data for retro-hunting research
• Syslog server
• Weblog server
• Passive DNS replication
• Netflow recording
• Full packet recording
74. Prevent Stage
• Consulting on IT Security budget
• Consulting on defense deployment strategy
• Consulting on choosing proper APT solutions, by doing PoC tests
• Building CSIRT team
• Building risk assessment criteria
• Building Threat Intelligence Program
76. Conclusion
• Security vendors’ technology are advanced, and elegant.
• However, actors usually bypass quickly with very low cost.
• Because they don’t understand actors well.
• Malware updates are always faster than security products.
• New protection features always gets bypassed within a few weeks.
77. Conclusion
• To cyber espionage targets:
• Face the threat. Prepare for long-term battle once it happened.
• Try as much as you can to secure your e-mail.
• Cyber espionage incident is hard to deal with. Make a long-term recovery plan.
• Build a CSIRT to fight with cyber war.
• To security vendors:
• Need to follow with cyber espionage actors.
• Not only for TTPs, but also campaign tracking.
• Please provide long-term service for cyber espionage victims.
Very simple example. This is a basic system information. Can you tell me is it in a sandbox?
There are just too many information you can use to identify a sandbox.
Of course security vendors want to improve this, they implement new techniques to anti-anti-sb.
The cost to implement antianti is very high, but attackers can bypass again with very low cost tricks.
If you are an attacker, do you think sandbox will give you many problems?